> From: owner-openssl-us...@openssl.org On Behalf Of Viktor Dukhovni > Sent: Monday, February 17, 2014 15:42 > To: openssl-users@openssl.org; owner-openssl-us...@openssl.org (Why owner- ? Dropped.)
> On Mon, Feb 17, 2014 at 02:11:39PM -0600, espe...@oreillyauto.com wrote: > > > The applications use data connection pools to connect to the iSeries > > servers we use. Allof the connections use hibernate > > > (<app_name>.hibernate.connection.url=jdbc:as400://<host>;<libraries>;<option s > >; > > In the options we add secure=true. > > This looks like "Java". Java does not use OpenSSL. It has a Java > keystore. You need to add trusted roots to the relevant Java > keystore. This is the wrong list for help with that. Perhaps some > kind soul will post the right recipe here anyway, but you should > look at the relevant Java documentation or Java help forum. > Concur. In general Java (to be exact Java's SSL implementation JSSE) has several options for its trust anchors, which may be selectable somewhere (in hibernate?). In descending order of complexity: - code can directly create a TrustManager with certs, either from a Java keystore or from some other source (maybe a local database, but if you're using hibernate remote maybe you don't have a local db); this is like an explicit X509_STORE in OpenSSL and is most hassle and very few apps bother, but general-purpose infrastructure might - system properties javax.net.ssl.trust* can be set to specify a keystore file (and password and type if needed) to be used. System properties can be set in app code or in the JVM run command, and sometimes by app metadata. This is rather like _load_verify_locations in OpenSSL, except only the CAfile method not the CAdir method. - if neither of the above applies, JSSE uses a default JKS file which is lJRE/lib/security/jssecacerts if it exists and same/cacerts otherwise. This is somewhat similar to _default_verify_paths in OpenSSL except that the JSSE default is always in the JRE subtree while the OpenSSL default can be set at build time to be anywhere, e.g.an OpenSSL build that runs in /usr/bin might put OPENSSL_DIR in /opt/pki or somesuch. For Java you can have more than one JRE version and/or copy installed in system, and the default is per JRE. For OpenSSL similarly you can have multiple builds installed, and each can have its own default. But IME multiple JRE's are pretty common (and then you must locate the correct one) while multiple OpenSSL's are fairly rare. Finally, one possible gotcha: OpenSSL in PEM format allows 'comment' text before the -----BEGIN line (or after -----END), and some openssl commandline utilties generate such text for certs. Java does support DER and PEM formats for cert, but does not support comments. If you use PEM, which is the openssl default and usually more convenient, make sure it is PEM without comments. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
